JP2018088616A - Attack detector, attack detection method, and attack detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve attack detection accuracy.SOLUTION: An attack detector includes a transmission reception unit and a calculation unit. The transmission reception unit receives a message from a communication device in a network. The calculation unit calculates the reception period of a periodic message received after the first message, by using the reception time of the first message of the periodic message transmitted periodically. The transmission reception unit receives a second message, corresponding to the information indicating transmission at a transmission interval shorter than the transmission period, after the first message is received by the transmission reception unit. Thereafter, the calculation unit updates the reception period of the periodic message, received after the second message, by using the reception time and the transmission period of the second message.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an attack detection device, an attack detection method, and an attack detection program.

  Network technology called CAN (Controller Area Network) may be used to transmit and receive data and control information between devices used in an in-vehicle network or factory automation of an automobile. A system in which CAN is used includes a plurality of ECUs (electronic control units). The ECUs communicate with each other by transmitting and receiving data frames (messages). In CAN, a data frame used for communication includes identification information (ID) used to identify a data frame. Each ECU stores the ID of the received data frame in advance. Since data frames are broadcast in CAN, a plurality of data frames reach the ECU connected to CAN at the same time. When the transmission timings of the data frames coincide with each other in a plurality of data frames, the priority order of the data frames is determined based on the value of the ID included in the data frame, and the priority data frame is transmitted first. Non-prioritized data frames are broadcast after transmission of the prioritized data frame. When a data frame is broadcast, each ECU receives a data frame including an ID set to be received by the ECU, but discards a data frame including an ID not set as a reception target.

  However, when an attack to the network is performed using a data frame including an ID set to be received by the ECU, each ECU receives a frame used for the attack. The ECU that has received the frame used for the attack may perform an operation that is not originally performed due to the reception of the frame. Therefore, attempts have been made to identify the frames transmitted by the attack. For example, it has been proposed that when a data frame that does not conform to a predetermined rule regarding the transmission period of the data frame is received, a specific identifier in the data frame is verified to determine whether the data frame is due to an attack (for example, a patent). Reference 1).

International Publication No. 2015/170451

  In a system in which both a periodically transmitted message and a message that is not transmitted every period are transmitted, it may be difficult to specify a frame used for an attack. In the technology described in the background art, when a message is transmitted periodically based on the transmission time of the message after transmission of a message transmitted at a non-transmission period, the periodically transmitted message is used for an attack. May be mistaken for a frame to be received.

  One object of the present invention is to improve the accuracy of attack detection.

  An attack detection apparatus according to one aspect includes a transmission / reception unit and a calculation unit. The transmission / reception unit receives a message from a communication device in the network. A calculation part calculates the reception period of the periodic message received after the said 1st message using the reception time of the 1st message of the periodic message transmitted periodically. The transmission / reception unit receives the second message associated with the information indicating that the transmission is performed at a transmission interval shorter than the transmission cycle outside the reception period after the reception of the first message. Then, the calculation unit updates a reception period of a periodic message received after the second message, using the reception time of the second message and the transmission period.

  The accuracy of attack detection is improved.

It is a figure explaining the example of the attack detection method concerning embodiment. It is a figure explaining the example of a structure of an attack detection apparatus. It is a figure explaining the example of a structure of a transmitter. It is a figure explaining the example of a hardware configuration. It is a figure explaining the example of a network. It is a figure which shows the example of the format of the flame | frame transmitted / received. It is a figure which shows the example of the information which a transmission device hold | maintains. It is a flowchart explaining the example of a transmission process. It is a figure explaining the example of the information which an attack detection apparatus hold | maintains. It is a figure explaining the example of the attack detection method concerning 1st Embodiment. It is a flowchart explaining the example of a process of an attack detection apparatus. It is a figure explaining the example of the problem which arises when a margin is not appropriate. It is a figure explaining the example of a structure of an attack detection apparatus. It is a figure explaining the example of the attack detection method concerning 2nd Embodiment. It is a figure explaining the example of the information which an attack detection apparatus hold | maintains. It is a figure explaining the example of the attack detection method concerning 2nd Embodiment. It is a flowchart explaining the example of a process of an attack detection apparatus. It is a flowchart explaining the example of a process of an attack detection apparatus.

  FIG. 1 is a diagram illustrating an example of an attack detection method according to the embodiment. In FIG. 1, black triangles (▲) indicate the timing at which the attack detection device receives data frames (periodic messages) that are periodically transmitted, and white triangles (Δ) indicate data frames that are transmitted regardless of the period (non-periods). The timing at which the attack detection device receives a periodic message). In case C1, messages M2 and M3 transmitted aperiodically are transmitted between messages M1 and M4, which are messages transmitted periodically, and thereafter periodic messages M5 and M6 are transmitted. At this time, the reference of the cycle is not changed from the time when the message M1 is transmitted. On the other hand, in the case C2, a message M13 that is transmitted aperiodically is transmitted after the messages M11 and M12 that are periodically transmitted messages, and then a periodic message with the transmission time of the message M13 as a period reference. M14 and M15 are transmitted.

  In the method according to the embodiment, the communication device (transmitting device) that transmits the data frame transmits the message to be transmitted in a state where the elapsed time from the transmission time of the previously transmitted message is shorter than the cycle. Performs processing to make the attack detection device recognize. This process is performed regardless of whether the message is transmitted periodically or aperiodically. For example, the transmission apparatus can include a flag (short interval flag) used for determining whether the message is transmitted at an interval shorter than the cycle in the frame to be transmitted. In the description of FIG. 1, it is assumed that the transmission apparatus sets a short interval flag = 1 for a message transmitted at a transmission interval shorter than the cycle, and sets a short interval flag = 0 for a message transmitted according to the cycle.

  For example, when the transmission cycle is T, in case C2, the transmission device transmits the message M13 from the transmission time of the message M12 before the message transmission cycle elapses. For this reason, the transmission apparatus sets the short interval flag to 1 in the message M13. On the other hand, the transmission device transmits the message M14 when the transmission cycle elapses from the transmission time of the message M13, and transmits the message M15 when the transmission cycle elapses from the transmission time of the message M14. For this reason, the short interval flag is set to 0 in the messages M14 and M15. Similarly, the short interval flag is set to 0 in the message M12.

  If the received message is a message sent before the message transmission cycle has elapsed since the previous message transmission time, the attack detection device uses the received message as a reference when the subsequent messages are sent periodically. Predict the reception time. On the other hand, if the received message is a message transmitted according to the message transmission cycle from the previous message transmission time, the attack detection device may attack the attack if the message reception time is within the predicted reception period. It is determined that the frame is not used.

  For example, the attack detection device receives the message M13 after receiving the message M12. Since the short interval flag = 1 in the message M13, the attack detection apparatus sets the period around the time when the message transmission interval T has elapsed from the reception time of the message M13 as the reception period of the message received next to the message M13. calculate. Here, the reception period of the message received next to message M13 is represented by arrow Px.

  The attack detection apparatus receives the message M14 in which the short interval flag = 0 is set next to the message M13. In the example of case C2, the reception time of the message M14 is within the range of the reception period (arrow Px) predicted for the message M14. Therefore, the attack detection device determines that the message M14 is not an attack frame. Then, the attack detection device calculates the reception period of the message received next to the message M14 using the reception time of the message M14 and the transmission cycle T. Here, the reception period of the message received next to message M14 is represented by arrow Py. After the message M14, the attack detection device receives the message M15 in which the short interval flag = 0 is set during the predicted reception period (arrow Py). Therefore, the attack detection device determines that the message M15 is not an attack frame.

  As described above, in the method according to the embodiment, the attack detection device can specify whether the received message is a message transmitted from the transmission device at an interval shorter than the cycle by using the short interval flag or the like. . For this reason, as in case C2, even if a periodic message is transmitted based on a non-periodically transmitted message after a non-periodically transmitted message, the periodic message is used for attack. Can be determined. In CAN and the like mounted on a vehicle, there are many systems in which a periodic message is transmitted based on a non-periodically transmitted message as in the case C2. Therefore, the method according to the embodiment is mounted on the vehicle. It is easy to apply to CAN.

  The method according to the embodiment is not limited to the case C2, but even if the aperiodic message is transmitted between the periodic messages as shown in the case C1, the periodic message is used for the attack. Whether it is a frame can be determined.

  For example, when the transmission cycle is T, in case C1, the transmission device transmits messages M2, M3, and M4 before the message transmission cycle elapses from the previous message transmission time. For this reason, the transmission device sets the short interval flag to 1 in the messages M2, M3, and M4. On the other hand, the transmission device transmits the message M5 when the transmission cycle elapses from the transmission time of the message M4, and transmits the message M6 when the transmission cycle elapses from the transmission time of the message M5. For this reason, the short interval flag is set to 0 in the messages M5 and M6.

  On the other hand, the attack detection device receives the message M2 after receiving the message M1. Since the short interval flag = 1 in the message M2, the attack detection apparatus calculates the reception period of the message received next to the message M2, using the reception time of the message M2 and the message transmission interval T. The attack detection device receives the message M3 next to the message M2, but since the short interval flag = 1 is set also in the message M3, the reception period of the message received next to the message M3 is calculated. The attack detection device receives the message M4 next to the message M3, but since the short interval flag = 1 is set also in the message M4, the reception period of the message received next to the message M4 is calculated. Here, the reception period of the message received next to message M4 is represented by arrow Pa.

  The attack detection apparatus receives the message M5 in which the short interval flag = 0 is set next to the message M4. In the example of case C1, since the reception time of the message M5 is within the range of the reception period (arrow Pa) predicted for the message M5, the attack detection device determines that the message M5 is not an attack frame. Then, the attack detection device calculates the reception period of the message received next to the message M5 using the reception time of the message M5 and the transmission cycle T. A reception period of a message received next to the message M5 is represented by an arrow Pb. It is assumed that the attack detection device receives a message M6 set with the short interval flag = 0 after the message M5 during the predicted reception period (arrow Pb). Then, the attack detection device determines that the message M6 is not an attack frame.

  As described above, the method according to the embodiment includes a system in which the time that is the reference of the period of the periodic message varies depending on the transmission time of the aperiodic message and a system in which the time that is the reference of the period of the periodic message does not vary depending on the aperiodic message. It can be applied to any of the above. This improves the accuracy of attack detection in a system in which both data frames that are periodically transmitted and data frames that are not transmitted every period are transmitted. By the method according to the embodiment, in particular, the detection accuracy of an attack posing as a periodic message is improved.

<Example of device configuration and network>
FIG. 2 is a diagram illustrating an example of the configuration of the attack detection apparatus 10. The attack detection device 10 includes a transmission / reception unit 11, a control unit 20, and a storage unit 30. The control unit 20 includes a calculation unit 21 and a determination unit 22. The storage unit 30 holds a transmission condition 31, reception status information 32, and reception prediction 33.

  The transmission condition 31 associates the ID included in the periodic message received by the attack detection device 10 with the transmission period of the periodic message identified by the ID. The reception status information 32 records the reception time of the latest message received by the attack detection device 10. An example of the transmission condition 31 and the reception status information 32 will be described later.

  The calculation unit 21 calculates the reception prediction of the periodic message for each ID using the transmission condition 31 and the reception status information 32. The calculation unit 21 stores the obtained calculation result in the reception prediction 33. For this reason, the reception prediction 33 is also generated for each ID. An example of the reception prediction 33 will also be described later. The determination unit 22 determines whether an attack has occurred on the network using the short interval flag and the reception prediction 33 in the received message.

  FIG. 3 is a diagram illustrating an example of the configuration of the transmission device 40. The transmission device 40 includes a transmission / reception unit 11, a control unit 50, and a storage unit 60. The control unit 50 includes a data generation unit 51, a flag setting unit 52, and a frame generation unit 53. The storage unit 60 holds a transmission condition 61 and a flag setting condition 62.

  The transmission condition 61 associates the ID included in the periodic message transmitted by the transmission device 40 with the transmission period of the periodic message identified by the ID. The flag setting condition 62 represents the setting condition of the short interval flag. Here, the short interval flag is a flag indicating whether the elapsed time from the transmission time of the previous transmission frame having the same identification information as the transmission target frame to the transmission time of the transmission target frame is shorter than the transmission cycle. It is.

  The data generation unit 51 generates data to be included in the transmission frame. The flag setting unit 52 sets a short interval flag. The frame generation unit 53 generates a transmission target frame using the data generated by the data generation unit 51 and the setting result of the short interval flag in the flag setting unit 52. The transmission / reception unit 11 transmits / receives a frame to / from another device.

  FIG. 4 is a diagram illustrating an example of the hardware configuration of the attack detection device 10 and the transmission device 40. In the example of FIG. 4, the attack detection device 10 and the transmission device 40 are realized as the ECU 100. The ECU 100 includes a CAN transceiver 101, a CAN controller 102, and a processing circuit 103. The processing circuit 103 includes a processor 104 and a memory 105.

  The CAN transceiver 101 appropriately performs processing for the ECU 100 to communicate with other devices in the CAN network, such as adjustment of bus voltage. The CAN controller 102 extracts data by performing processing such as CRC (Cyclic Redundancy Check) check and bit stuffing on the received frame. The CAN controller 102 outputs data to the processor 104. The processor 104 is an arbitrary processing circuit, and can be a CPU (Central Processing Unit), for example. The processor reads the program stored in the memory 105 and performs processing. The ECU 100 may include a device for reading a program and data from a storage medium. In this case, the program may be recorded in an arbitrary storage medium, and is appropriately read from the storage medium by the ECU 100.

  In the attack detection device 10, the transmission / reception unit 11 is realized by the CAN transceiver 101 and the CAN controller 102. The processor 104 operates as the control unit 20. The memory 105 operates as the storage unit 30. In the transmission device 40, the transmission / reception unit 11 is realized by the CAN transceiver 101 and the CAN controller 102. The processor 104 operates as the control unit 50. The memory 105 operates as the storage unit 60.

<Example of network and frame>
FIG. 5 is a diagram illustrating an example of a network. In the network N1 shown in FIG. 5, a plurality of ECUs 100 (ECU0 to ECUk) are connected to each other through a single bus so that frames can be transmitted and received. Assume that one or more of the ECUs 100 included in the network of FIG. For example, one attack detection device 10 may detect an attack on all periodic messages transmitted and received in the network. Further, the detection target may be determined for each attack detection device 10 so as to detect attacks on all periodic messages using a plurality of attack detection devices 10. In addition, one or more of the ECUs 100 included in the network of FIG.

  An example of the transmission timing of the periodic message and the reception timing at the attack detection apparatus 10 are also shown in FIG. In the example of FIG. 5, it is assumed that the ECU 0 operates as the attack detection device 10 to detect an attack on each periodic message of ID = A, B, and C. In this case, the ECU 0 operating as the attack detection device 10 acquires each periodic message of ID = A, B, and C as a reception target. On the other hand, the ECU 1 transmits a periodic message with ID = A, and the ECU 2 transmits a periodic message with ID = B. Moreover, ECU3 shall transmit the periodic message of ID = C.

  As shown in the timing chart of FIG. 5, the periodic messages of ID = A, B, and C are received by the ECU 0 almost simultaneously with the transmission timing. The ECU 0 detects an attack by analyzing the reception timing of the received message in association with the ID in the message. Details of attack detection will be described later.

  FIG. 6 is a diagram illustrating an example of a format of a frame to be transmitted / received. F11 in FIG. 6 is a frame format example of the general specification, and F12 is a frame format example used in the extended specification.

  The general specification frame includes an SOF (Start of Frame), an arbitration field, a control field, a data field, a CRC field, an ACK field, and an EOF (End of Frame). The arbitration field includes ID and RTR (Remote Transmission Request). Here, the ID is identification information used for identifying the data frame. The control field includes IDE (Identifier Extension), reserved bits, and DLC (Data Length Code). The CRC field includes a CRC sequence and a CRC delimiter. The ACK field includes an ACK slot and an ACK delimiter. Note that the bit length of the information element included in each field is as described in the bottom line of F11. For example, the length of the ID is 11 bits, and the length of the data field is a variable length of 0 to 64 bits.

  The data frame (F12) used in the extended specification also includes an SOF, an arbitration field, a control field, a data field, a CRC field, an ACK field, and an EOF. The arbitration field of the extended specification includes ID base, SRR (Substitute Remote Request Bit), IDE, ID extension, and RTR. In the extended specification, data frame identification information (ID) is represented by a bit string obtained by connecting a bit string stored as an ID base to a bit string stored as an ID extension. From the control field to EOF, the extended specification format is the same as the general specification format. Further, the bit length of the information element included in each field is as described in the bottom line of F12. For this reason, in the extended format, a 29-bit bit string including 11 bits of ID base and 18 bits of ID extension is used as identification information of the transmission source.

  The short interval flag is included in the data field regardless of whether the format of the frame transmitted and received in the system is F11 or F12. Further, it is assumed that the transmission device 40 and the attack detection device 10 have previously stored an area in which a short interval flag is recorded in the data field. For example, the setting position of the short interval flag may be included in the transmission condition 31, the transmission condition 61, the flag setting condition 62, and the like.

  Hereinafter, an example of processing performed in each embodiment will be described by taking as an example a case where a data frame using the format shown in F11 of FIG. 6 is transmitted and received. The same processing is performed even when the data frame used for communication is an extended specification.

<First Embodiment>
Hereinafter, the first embodiment will be described by dividing it into frame transmission from the transmission device 40 and determination processing in the attack detection device 10.

(1) Transmission of Frame from Transmitting Device 40 FIG. 7 is a diagram illustrating an example of information held by the transmitting device 40. The transmission condition 61 includes the ID included in the message transmitted by the transmission device 40, the transmission cycle, and the position of the short interval flag. The transmission cycle is a cycle in which a periodic message identified by the ID in the entry is transmitted. The position of the short interval flag is information for designating an area of the data field used as a short interval flag of the message identified by the ID in the entry. For example, in the transmission condition 61 in FIG. 7, a periodic message with ID = 0x123 is transmitted at a period of 100 milliseconds, and the first bit of the data field is used as a short interval flag in a message with ID = 0x123. It has been shown.

  The flag setting condition 62 is associated with a condition for setting the value of each short interval flag. In the example of FIG. 7, for a message identified by a certain ID, if the period from the previous message transmission time to the current message transmission time matches the cycle, the short interval flag = 0 may be set. It is recorded in the flag setting condition 62. On the other hand, for a message identified by a certain ID, if the period from the previous message transmission time to the current message transmission time is shorter than the period, the short interval flag = 1 is set. For example, the flag setting unit 52 holds a timer for measuring a frame transmission interval for each ID of a frame to be transmitted, and determines the setting value of the short interval flag using the count value of the timer. I can.

  FIG. 8 is a flowchart illustrating an example of transmission processing. In the example of FIG. 8, it is assumed that the timer is set to expire at the transmission cycle associated with the ID included in the message (data frame) for which the transmission interval is measured by the timer. . For example, when the transmission device 40 holds the transmission condition 61 shown in FIG. 7, the timer used for processing the message with ID = 0x123 is set to expire in 100 ms.

  The flag setting unit 52 initializes the timer (step S1). Thereafter, the flag setting unit 52 determines whether the timer has expired (step S2). If the timer has not expired, the flag setting unit 52 determines whether an event for transmitting a message has occurred (No in step S2, step S3). When the event for transmitting the message has not occurred, the flag setting unit 52 counts up the timer and returns to Step S2 (No in Step S3, Step S4).

  On the other hand, when the event which transmits a message has generate | occur | produced, the transmission process of the message transmitted aperiodically is performed (Yes in step S3). The flag setting unit 52 sets the short interval flag to 1 (step S5). The flag setting unit 52 notifies the frame generation unit 53 of the value of the short interval flag. The frame generation unit 53 generates a transmission message using the data generated by the data generation unit 51, the value of the short interval flag acquired from the flag setting unit 52, and the position information of the short interval flag (step S7). The transmission / reception unit 11 transmits the generated message and returns to step S1 (step S8).

  If the timer has expired in step S2, transmission processing of a periodically transmitted message is performed (Yes in step S2). The flag setting unit 52 sets the short interval flag to 0 (step S6). Thereafter, the flag setting unit 52 notifies the frame generation unit 53 of the value of the short interval flag. For this reason, the process of step S7 and S8 is performed after the process of step S6.

  FIG. 8 is an example of processing of the transmission device 40, and can be changed according to the implementation. For example, as shown in case C1 of FIG. 1, in a system in which a non-periodic message is transmitted without changing the reference of the periodic message, the process of the transmission device 40 is modified so as to return to step S2 after the process of step S8. Is done.

(2) Determination Processing in Attack Detection Device 10 FIG. 9 is a diagram for explaining an example of information held by the attack detection device 10. The attack detection apparatus 10 stores a transmission condition 31 in advance. The transmission condition 31 includes an ID, a transmission cycle, a margin, and a position of a short interval flag included in a message received by the attack detection apparatus 10. The transmission cycle is a cycle in which a periodic message identified by the ID in the entry is transmitted. The margin is a value used as an allowable value in a range deviating from the transmission cycle when the reception period of the periodic message identified by the ID in the entry is predicted. The position of the short interval flag is information for specifying an area used as the short interval flag in the data field of the message identified by the ID in the entry.

  In the transmission condition 31 in FIG. 9, a 10 ms margin is used to transmit a periodic message with ID = 0x123 in a 100 ms cycle and to predict a reception period for the periodic message with ID = 0x123. It has been shown. Further, in the message having ID = 0x123, the transmission condition 31 also includes that the first bit of the data field is used as the short interval flag.

  In the reception status information 32, the reception time of a message that can be used for calculation of the reception period is recorded in association with the ID included in the message that can be used for calculation of the reception period. Here, as messages that can be used for calculation of the reception period, a periodic message determined not to be used for an attack and a message transmitted at an interval shorter than the period are used. The determination unit 22 records the reception time of the message received last among the messages usable for the calculation of the reception period in the reception status information 32. FIG. 9 shows a recording example of the reception status information 32. In the example of FIG. 9, the time when the attack detection apparatus 10 received a message including ID = 0x123 is 50 ms. The determination process in the determination unit 22 will be described with reference to FIG.

  When the reception status information 32 is updated, the calculation unit 21 generates a reception prediction 33 for each ID using the transmission cycle and the margin recorded in the transmission condition 31. FIG. 9 shows an example of the reception prediction 33 generated for the periodic message with ID = 0x123. Since a message that can be used for calculation of the reception period is received at 50 ms, the period during which a message transmitted according to the transmission period T can be received (reception period) is calculated as 50 ms + 100 ms ± 10 ms. Therefore, when the next message received with ID = 0x123 and the short interval flag = 0 is received, if the received message is not a frame caused by an attack, it is expected to be received in the reception period of 140 ms to 160 ms.

  FIG. 10 is a diagram for explaining an example of the attack detection method according to the first embodiment. In FIG. 10, the black downward triangle (▼) indicates the timing at which the attack detection apparatus 10 received a message with the short interval flag = 0, and the white downward triangle (▽) is set to the short interval flag = 1. The timing at which the attack detection apparatus 10 receives the received message is shown. In FIG. 10, it is assumed that both the messages M21 to M23 and the frame AT1 used for the attack are identified by ID = 0x123.

  Assume that the attack detection apparatus 10 has not received any message that can be used for calculation of the reception period at 0 ms in case C11. In this case, no data is recorded in the reception status information 32 and the reception prediction 33.

  Thereafter, it is assumed that the message M21 including ID = 0x123 reaches the attack detection apparatus 10 in 50 ms. At this time, since the reception prediction 33 has not been obtained, the determination unit 22 determines that the message M21 is not a frame due to an attack. The determination unit 22 records the reception time of the message M21 in the reception status information 32 (FIG. 9).

  When the reception status information 32 is updated, the calculation unit 21 uses a transmission period and a margin recorded in the transmission condition 31 (FIG. 9), and can receive a message transmitted according to the transmission period T (reception Period). In the message transmitted according to the transmission cycle T, the short interval flag = 0. The calculation unit 21 calculates the reception period of the message including the short interval flag = 0 as 140 ms to 160 ms by the process described with reference to FIG. The reception period calculated by the calculation unit 21 for the message received next to the message M21 is indicated by an arrow P1.

  It is assumed that the message M22 identified by ID = 0x123 reaches the attack detection apparatus 10 at 148 ms. The determination unit 22 determines whether the reception time of the message M22 matches the information in the reception prediction 33. Since the reception prediction 33 is 140 ms to 160 ms as indicated by the arrow P1, the reception time of the message M22 matches the information in the reception prediction 33. Therefore, the determination unit 22 determines that the message M22 is not an attack frame. The determination unit 22 updates the reception status information 32 using the reception time of the message M22.

  When the reception status information 32 is updated, the calculation unit 21 calculates the reception period when the next message to be received is the short interval flag = 0, using the transmission cycle and the margin. Since the reception time of the message M22 is 148 ms, it is assumed that the calculation unit 21 calculates the reception period of the message including the short interval flag = 0 as 148 ms + 100 ms ± 10 ms = 238 ms to 258 ms. The reception period calculated by the calculation unit 21 for the message received next to the message M22 is indicated by an arrow P2. The calculation unit 21 updates the reception prediction 33 with the obtained calculation result.

  Case C12 shows a case where the message M23 reaches the attack detection device 10 after the case C11. Assume that a message M23 identified by ID = 0x123 reaches the attack detection apparatus 10 in 200 ms. The determination unit 22 determines whether the reception time of the message M23 matches the information in the reception prediction 33. Since the reception prediction 33 is 238 ms to 258 ms as indicated by the arrow P2, the reception time of the message M23 does not match the information in the reception prediction 33.

  Therefore, the determination unit 22 specifies the value of the short interval flag included in the message M23. At this time, the determination unit 22 uses information on the position of the short interval flag in the transmission condition 31. The short interval flag is the first bit of the data field of the message M23. Here, it is assumed that the value of the first bit of the data field of the message M23 is 1. In this case, since the value of the short interval flag is 1, the message M23 is transmitted before 100 ms which is the transmission cycle elapses from the transmission of the message M22. Therefore, the determination unit 22 determines that the message M23 is not a frame used for an attack. The determination unit 22 updates the reception status information 32 with the reception time of the message M23. In other words, the determination unit 22 can recognize that the message with the short interval flag = 0 is not received during the period indicated by the dashed arrow P2 by receiving the message M23.

  When the reception status information 32 is updated, the calculation unit 21 calculates the reception period when the next message to be received is the short interval flag = 0, using the transmission cycle and the margin. Since the reception time of the message M23 is 200 ms, it is assumed that the calculation unit 21 calculates the reception period of the message including the short interval flag = 0 as 200 ms + 100 ms ± 10 ms = 290 ms to 310 ms. The reception period calculated by the calculation unit 21 for the message received next to the message M23 is indicated by an arrow P3. The calculation unit 21 updates the reception prediction 33 with the obtained calculation result.

  Case C13 shows a case where the attack frame AT1 reaches the attack detection apparatus 10 after case C12. Assume that the attack frame AT1 identified by ID = 0x123 reaches the attack detection apparatus 10 at 250 ms. The determination unit 22 determines whether the reception time of the attack frame AT1 matches the information in the reception prediction 33. Since the reception prediction 33 is 290 ms to 310 ms as indicated by the arrow P3, the reception time of the attack frame AT1 does not match the information in the reception prediction 33.

  Therefore, the determination unit 22 identifies the value of the short interval flag included in the attack frame AT1. It is assumed that the value of the first bit of the data field of the attack frame AT1 is 0. In this case, since the value of the short interval flag is 0, the attack frame AT1 is transmitted after 100 ms, which is the transmission cycle T, from the transmission of the message M23. The reception time does not match the reception prediction 33. Therefore, the determination unit 22 determines that the attack frame AT1 is a frame used for an attack.

  FIG. 11 is a flowchart illustrating an example of processing of the attack detection apparatus. Note that FIG. 11 is an example, and the processing order can be changed according to the implementation. For example, the order of steps S15 and S16 can be arbitrarily changed.

  The transmission / reception unit 11 receives the message (step S11). The determination unit 22 determines whether the reception is during the period expected as the reception prediction 33 using the reception time of the message (step S12). If the reception is not received during the period expected as the reception prediction 33, the determination unit 22 determines whether the value of the short interval flag of the message is set to 1 (No in step S12, step S13). When the value of the short interval flag of the message is not set to 1, the determination unit 22 determines that the message is an attack frame and discards the message (No in step S13, step S14).

  On the other hand, when the value of the short interval flag of the message is set to 1, the calculation unit 21 predicts the reception time of the message received in the next cycle using the message reception time (Yes in step S13). Step S15). In this case, the determination unit 22 determines that the message has been normally received (step S16). Even if it is determined in step S12 that the reception is predicted during the period expected as the reception prediction 33, the processes in steps S15 and S16 are performed.

  FIG. 11 is an example of processing performed by the attack detection apparatus 10, and the processing can be changed according to the implementation. For example, when the determination unit 22 detects reception of a message during the period expected as the reception prediction 33 (Yes in step S12), the determination unit 22 determines whether the value of the short interval flag in the received message is set to 0. It may be set as follows.

  As described above, in the method according to the first embodiment, the attack detection device 10 specifies whether the received message is a message transmitted from the transmission device at an interval shorter than the cycle by using the short interval flag. be able to. The attack detection device 10 uses the message received during the period predicted as the reception prediction 33 or the message that has been confirmed to be transmitted at an interval shorter than the transmission cycle by the short interval flag. Predict the reception time. For this reason, in the method according to the first embodiment, the time that is the reference of the period of the periodic message varies depending on the transmission time of the aperiodic message, and the time that is the reference of the period of the periodic message varies depending on the aperiodic message. It can be applied to any system that does not. Therefore, according to the first embodiment, the accuracy of attack detection in a system in which both messages that are periodically transmitted and messages that are not transmitted every period are transmitted is improved.

<Second Embodiment>
In the second embodiment, a description will be given of processing when a margin is widened in order to prevent erroneous detection even when the transmission timing of a periodic message fluctuates due to overlapping transmission timings of frames.

  FIG. 12 is a diagram illustrating an example of a problem that occurs when the margin is not appropriate. In case C21, all the frames include ID = 0x123. In case C21, it is assumed that the periodic message is transmitted at a period of 100 ms and the margin is set to 10 milliseconds. Assume that the attack detection apparatus 10 receives the first periodic message M31 at 0 ms. Then, the attack detection apparatus 10 determines that the periodic message M32 is not an attack if the periodic message M32 is received within a period (Z1) of 90 ms to 110 ms from the reception of the periodic message M31 using the margin. Assume that the attack detection apparatus 10 receives the second periodic message M32 in 101 ms. Then, since the difference between the reception times of the periodic message M31 and the periodic message M32 is 101 ms and is within the range calculated using the margin, the attack detection apparatus 10 determines that the periodic message M32 is not an attack. The attack detection apparatus 10 predicts a period for receiving the third periodic message as a period (Z2) of 191 ms to 211 ms based on the reception time of the periodic message M32.

  Next, it is assumed that the timing at which the third periodic message M33 is transmitted is delayed due to the transmission with other messages. For this reason, it is assumed that the attack detection apparatus 10 receives the third periodic message M33 in 240 ms. In this case, the difference between the reception times of the periodic message M32 and the periodic message M33 is 139 ms, which is not included in the range (Z2) allowed when calculated using the margin. For this reason, the attack detection device 10 erroneously detects the periodic message M33 as an attack. Furthermore, the attack detection apparatus 10 calculates the reception interval with reference to the reception time of the periodic message M33. As shown in case C21, when the fourth periodic message is received at 301 ms, the attack detection apparatus 10 has a difference in reception time between the periodic message M33 and the periodic message M34 of 61 ms, which is acceptable when calculated using a margin. It is determined that it is not included in the range. For this reason, the attack detection device 10 erroneously detects that the periodic message M34 is also an attack.

However, a wide margin can prevent false detection, but sometimes misses an attack. In case C22, it is assumed that a periodic message M41, a periodic message M42, an attack frame AT2, a periodic message M43, and a periodic message M44 are transmitted as a frame including ID = 0x123. In the attack detection apparatus 10, it is assumed that the transmission cycle is set to 100 ms, the margin is set to 40 ms, and each frame is received at the following timing.
Periodic message M41: 0 ms
Periodic message M42: 101 ms
Attack frame AT2: 161 ms
Periodic message M43: 240 ms
Periodic message M44: 301 ms

  In case C22, the attack detection device 10 determines that an attack has not occurred if the interval between the reception times of the two frames is within the transmission cycle ± margin period. The transmission cycle ± margin is 60 ms to 140 ms. Upon receiving the periodic message M41, the attack detection device 10 predicts the period indicated by P11 as the reception period of the periodic message M42. The reception time of the periodic message M42 is 101 ms from the reception of the periodic message M41, and is included in a period (P11) in which 60 ms to 140 ms have elapsed from the reception time of the periodic message M41. For this reason, the attack detection apparatus 10 determines that no attack has occurred.

  Next, the attack detection apparatus 10 predicts a period (P12) in which 60 ms to 140 ms have elapsed from the reception time of the periodic message M42 as the reception period of the periodic message M43. Upon receiving the attack frame AT2, the attack detection apparatus 10 determines that the frame has been received during the period P12 because it has received the attack frame AT2 in 60 ms from the periodic message M42. For this reason, the attack detection apparatus 10 determines that no attack has occurred.

  The attack detection apparatus 10 predicts a period (P13) in which 60 ms to 140 ms have elapsed from the reception time of the attack frame AT2 as the reception period of the periodic message M44. Upon receiving the periodic message M43, the attack detection apparatus 10 determines that it has received a frame during the period P13 because it has received the periodic message M43 in 79 ms from the reception of the attack frame AT2. For this reason, the attack detection apparatus 10 determines that no attack has occurred.

  Similarly, the attack detection apparatus 10 predicts a period (P14) in which 60 ms to 140 ms have elapsed from the reception time of the periodic message M43 as the reception period of the periodic message M45. When receiving the periodic message M44, the attack detection apparatus 10 determines that it has received the frame during the period P14 because it has received the periodic message M44 in 61 ms from the reception of the periodic message M43. For this reason, the attack detection apparatus 10 determines that no attack has occurred. As described above, in the detection method of the case C22, since the margin is wide, it is overlooked that the attack by the attack frame AT2 is occurring.

  Therefore, in the second embodiment, an attack detection method that can prevent an oversight of a frame used for an attack and prevent an erroneous detection of the attack even when a wide margin is provided will be described.

  FIG. 13 is a diagram for explaining an example of the configuration of the attack detection device 70. The attack detection device 70 includes a transmission / reception unit 11, a control unit 71, and a storage unit 75. The control unit 71 includes a calculation unit 72, a determination unit 73, and a reference update processing unit 74. The storage unit 75 stores a reference time 76, a reception prediction 77, and a transmission condition 31, and optionally stores reception status information 32.

  The reference update processing unit 74 selects a message that is a reference for calculation of the reception prediction 77. As a message serving as a reference for calculation of the reception prediction 77, a message transmitted at an interval shorter than the transmission cycle is used. Further, the reference update processing unit 74 may select a reference message from among periodic messages in order to eliminate error accumulation by periodically updating the reference message. The reference update processing unit 74 stores the reception time of the message selected as the reference message in the storage unit 75 as the reference time 76.

  The calculation unit 72 calculates reception predictions for a plurality of periodic messages for each ID using the reference time 76 and the transmission condition 31. The calculation unit 72 stores the obtained calculation result in the reception prediction 77. For this reason, the reception prediction 77 is also generated for each ID. An example of the reception prediction 77 will be described later.

  FIG. 14 is a diagram illustrating an example of an attack detection method according to the second embodiment. In step S21, the reference update processing unit 74 selects a message selected from the periodic messages or a message with the short interval flag = 1 as the reference message. The reference message is a message used as a reference for prediction of a period in which another message having the same ID is received. The attack detection device 70 calculates the reception period when the short interval flag = 0 is set for a plurality of messages identified by the same ID as the reference message, and associates them with the order from the reference message (step S22). For the calculation in step S22, the transmission cycle associated with the ID included in the reference message and the reception time of the reference message are used.

  Thereafter, the transmission / reception unit 11 receives the nth message having the same ID as the reference message (step S23). The determination unit 73 determines whether or not the short interval flag of the nth message is set to 1 (step S24). When the short interval flag of the nth message is set to 1, the reference update processing unit 74 sets the nth message as a new reference message, and returns to step S22 (Yes in step S24, step S25). ). When the short interval flag of the nth message is not set to 1, the determination unit 73 determines whether the reception time of the nth message is within the period predicted as the reception period of the nth periodic message. (No in step S24, step S26). If the reception time of the nth message is not included in the period predicted as the reception period of the nth periodic message, the determination unit 73 determines that an attack has been detected (No in step S26, step S27). ).

  On the other hand, when the reception time of the nth message is within the period predicted as the reception period of the nth periodic message, the determination unit 73 determines that no attack has been detected and ends the process (step S26). Yes).

  FIG. 14 shows a case where the messages M41 to M43 and the attack frame AT2 are transmitted as in FIG. Here, it is assumed that the reference update processing unit 74 selects the message M41 as the reference message. Then, the calculation unit 72 calculates the reception period when each message has a short interval flag = 0 for a plurality of messages using the reception time (0 ms) of the message M41, the transmission cycle (100 ms), and the margin. For example, the first message from the message M41 is expected to be received in the period indicated by the arrow P21 when the short interval flag = 0. Similarly, the second short interval flag = 0 message from the message M41 is expected to be received in the period indicated by the arrow P22, and the third short interval flag = 0 message from the message M41 is the period indicated by the arrow P23. Reception is expected at

  Thereafter, it is assumed that the transmission / reception unit 11 receives the message M42. The determination unit 73 treats the message M42 as the first message from the reference message M41. The determination unit 73 does not detect an attack because the message M42 is received during the period indicated by the arrow P21. Next, it is assumed that the transmission / reception unit 11 receives the attack frame AT2. The determination unit 73 treats the attack frame AT2 as the second message from the reference message M41. Since the attacking frame AT2 is received during the period indicated by the arrow P22, the determination unit 73 does not detect an attack at this time. Furthermore, it is assumed that the transmission / reception unit 11 receives the message M43. The determination unit 73 treats the message M43 as the third message from the reference message M41. The determination unit 73 detects an attack because the message M43 has not been received during the period indicated by the arrow P23.

  As described above, in the method according to the embodiment, a message reception period after a plurality of cycles is predicted from a reference message, and an attack is performed in consideration of the numbered message from the reference message. The presence or absence of is determined. For this reason, it is possible to detect an attack even if a wide margin is provided to cope with the delay of the message.

  Hereinafter, an example of processing of the attack detection device 70 will be described in detail using a specific example of information held by the attack detection device 70.

FIG. 15 is a diagram illustrating an example of information held by the attack detection device 70.
The attack detection device 70 stores the transmission condition 31 in advance. The transmission condition 31 is the same as the transmission condition 31 held by the attack detection apparatus 10 and includes the ID, transmission period, margin, and position of the short interval flag included in the periodic message to be received. The transmission condition 31 in FIG. 15 uses a margin of 40 ms for transmitting a periodic message with ID = 0x123 at a period of 100 ms and for predicting a reception period for a periodic message with ID = 0x123. It has been shown. Further, in the message having ID = 0x123, the transmission condition 31 also includes that the first bit of the data field is used as the short interval flag.

  The reference time 76 records the reception time of the message selected as the reference message in association with the ID included in the reference message. The reference message includes a message selected by the reference update processing unit 74 as a message to be used as a reference point for calculation of a reception period among messages transmitted at a transmission cycle, and a message transmitted at an interval shorter than the transmission cycle. , A message received later.

  When the reference time 76 is updated, the calculation unit 72 generates a reception prediction 77 for each ID using the transmission cycle and the margin recorded in the transmission condition 31. FIG. 15 shows an example of the reception prediction 77 generated for the periodic message with ID = 0x123. Since the reference message is received at 50 ms, assuming that the reference message is the 0th message, the period (reception period) during which the nth periodic message received from the reference message can be received is 50 ms + 100 ms × n ± 40 ms. Therefore, the reception period of the periodic message with ID = 0x123 received after the reference message is 110 ms to 190 ms. Similarly, the reception period of the second periodic message from the reference message is 210 ms to 290 ms, and the reception period of the third periodic message from the reference message is 310 ms to 390 ms. The calculation unit 72 records the reception order in the reception prediction 77 in association with the reception order from the reference message when the reference message is the 0th message for each periodic message.

  FIG. 16 is a diagram illustrating an example of an attack detection method according to the second embodiment. Hereinafter, the case where the attack detection apparatus 70 holds the information illustrated in FIG. 15 will be described as an example. In FIG. 16, a frame in which the short interval flag = 0 is represented by a black triangle (▼), and a frame in which the short interval flag = 1 is represented by a white triangle (▽). Further, the reference update processing unit 74 changes the reference message when receiving 10 messages with the short interval flag = 0 without changing the reference message in addition to the reception of the message with the short interval flag = 1. Suppose that it is set.

  Case C31 is an example in which the attack detection device 70 receives the message M51 in 50 ms and the message M51 is selected as the reference message. It is assumed that the control unit 71 calculates the reception period of the message with the short interval flag = 0 when the message M51 is used as a reference in the procedure described with reference to FIG. Case C31 shows the calculated value of the reception period for the first to third messages from message M51. An arrow P52 is a reception period of the first message from the message M51, an arrow P53 is a reception period of the second message from the message M51, and an arrow P53 is a reception period of the third message from the message M51.

  Thereafter, it is assumed that the transmission / reception unit 11 receives the message M52 at 148 ms. When determining that the short interval flag of the message M52 is set to 0, the determination unit 73 determines whether the message M52 is received during the predicted period. Since the reception time of the message M52 is 148 ms and the reception period of the message with the first short interval flag = 0 from the message M51 is 110 ms to 190 ms, the determination unit 73 determines that the message M52 is received during the predicted period. Is determined to have been received. Then, the determination unit 73 does not detect an attack. Since the message M52 is a message with the first short interval flag = 0 from the message M51, the calculation unit 72 does not update the reception period of messages after the message M52.

  In Case C32, the transmission / reception unit 11 receives the message M53 at 200 ms. The determination unit 73 specifies that the short interval flag of the message M53 is set to 1. Then, the reference update processing unit 74 sets the message M53 as a new reference message and discards the reception period calculated based on the message M51. For this reason, as indicated by a dotted arrow in case C32, the reception period of arrows P53 and P54 calculated based on the message M51 at the time of case C31 is discarded. The reference update processing unit 74 sets the reception time of the message M53 to the reference time 76. Since the reference time 76 has been updated, the calculation unit 72 updates the reception prediction 77 in the reception period calculated using the message M53 as a reference. Since the reception time of the message M53 is 200 ms, from the transmission condition 31 (FIG. 15), the calculation unit 72 sets the reception period of the message with the short interval flag = 0 received first from the message M53 to 200 ms + 1 × 100 ms ± 40 ms. = 260 ms to 340 ms. The calculation unit 72 calculates the reception period for subsequent messages by the same process. An example of a reception period in which the message M53 is calculated as a new reference message is indicated by an arrow P53a.

  In case C33, it is assumed that the transmission / reception unit 11 receives the attack frame AT3 at 250 ms. When determining that the short interval flag of the attack frame AT3 is set to 0, the determination unit 73 determines whether the attack frame AT3 is received during the predicted period. The determination unit 73 treats the attack frame AT3 as the first message from the reference message M53. Since the reception time of the attack frame AT3 is 250 ms and the reception period of the message with the first short interval flag = 0 from the message M53 is 260 ms to 340 ms, the determination unit 73 is within the predicted period. It is determined that the attack frame AT3 is not received. Then, the determination unit 73 determines that an attack has been detected.

  FIG. 17 is a flowchart for explaining an example of processing of the attack detection device 70. In FIG. 17, the variable k is used to count the number of messages being processed without changing the reference message.

  The calculation unit 72 acquires the transmission cycle T, the margin M, and the predicted number of times n (step S31). At this time, the calculation unit 72 reads the transmission cycle T and the margin M from the transmission condition 31. The predicted number of times n is the maximum number of messages with the short interval flag = 0 for performing the determination process in a situation where the reference message is not changed. Thereafter, the transmission / reception unit 11 receives the message. When receiving the message after the attack detection device 70 is activated, the reference update processing unit 74 sets the first received message as the reference message and sets the message reception time to t0 (step S32).

  In step S33, the calculation unit 72 calculates a reception period when all n messages are transmitted according to the transmission cycle, using the reception time t0 and the information acquired in step S31. At this time, the reception period of the xth message is calculated as r (x) = t0 + xT ± M. Further, the reference update processing unit 74 sets the variable k to 1.

  The transmission / reception unit 11 further receives a message. The determination unit 73 sets the message reception time to t (k) (step S34). The determination unit 73 determines whether or not the short interval flag of the received message is set to 1 (step S35). When the short interval flag of the received message is not set to 1, since the received message is transmitted along the transmission cycle, the determination unit 73 determines whether t (k) is included in the range of r (k). (No in step S35, step S36). When t (k) is not included in the range of r (k), the determination unit 73 detects an attack (No in step S36, step S40).

  On the other hand, when t (k) is included in the range of r (k), the reference update processing unit 74 determines whether the variable k is equal to the prediction count n (Yes in step S36, step S37). While the variable k is smaller than the prediction number n, the variable k is not equal to the prediction number n (No in step S37). In this case, the reference update processing unit 74 increments the variable k by 1, and returns to step S34 (step S38). When the process after step S34 is repeated and the variable k becomes equal to the predicted number n, the reference update processing unit 74 updates the reference message with the received message, and sets the reception time t (k) to the reception time t of the reference message. Set to (0) (Yes in step S37, step S39). At this time, the reference update processing unit 74 updates the reference time 76. Then, the process of step S33 is performed. That is, the calculation unit 72 uses the updated reference time 76 to calculate a reception period when a new reference message to n-th message is transmitted in the transmission cycle. In addition, the reference update processing unit 74 updates the variable k to 1.

  When the short interval flag of the received message is set to 1, the reference update processing unit 74 updates the reference message with the received message, and sets the reception time t (k) to the reception time t (0) of the reference message. (Yes in step S35, step S39). Thereafter, the processing after step S33 is performed.

  FIG. 18 is a flowchart for explaining an example of processing of the attack detection device 70 in a modification of the second embodiment. In FIG. 18, the determination whether the reception time of the message is included in the reception period is performed before the determination of the value of the short interval flag.

  The processing of steps S41 to S44 is the same as steps S31 to S34 described with reference to FIG. In step S45, the determination unit 73 determines whether t (k) is included in the range of r (k). When t (k) is not included in the range of r (k), the determination unit 73 determines whether the short interval flag of the received message is set to 1 (No in step S45, step S49). When the short interval flag of the received message is not set to 1, the determination unit 73 detects an attack (No in step S49, step S51).

  On the other hand, when the short interval flag of the received message is set to 1, the determination unit 73 updates the reference message with the received message, and sets the reception time t (k) to the reception time t (0) of the reference message. (Yes in step S49, step S50). At this time, the reference update processing unit 74 updates the reference time 76. Then, the process after step S43 is performed.

  Even when it is determined in step S45 that t (k) is included in the range of r (k), the determination unit 73 determines whether the short interval flag of the received message is set to 1 (step S45). Yes in S45, step S46). When the short interval flag of the received message is set to 1, the determination unit 73 updates the reference message with the received message, and sets the reception time t (k) to the reception time t (0) of the reference message (step) Yes in S46, step S50).

  If it is determined that t (k) is included in the range of r (k), and further, it is determined that the short interval flag of the received message is not set to 1, the reference update processing unit 74 determines that the variable It is determined whether k is equal to the predicted number n (No in step S46, step S47). While the variable k is smaller than the prediction number n, the variable k is not equal to the prediction number n (No in step S47). In this case, the reference update processing unit 74 increments the variable k by 1, and returns to step S44 (step S48). When the process after step S44 is repeated and the variable k becomes equal to the predicted number n, the reference update processing unit 74 updates the reference message with the received message, and sets the reception time t (k) to the reception time t of the reference message. It is set to (0) (Yes in step S47, step S50). After the process of step S50, the process after step S43 is performed.

  As described above, also in the method according to the second embodiment, the attack detection device 70 determines whether the message is transmitted from the transmission device at an interval shorter than the cycle, as in the first embodiment. Can be specified. Furthermore, the attack detection device 70 uses a message selected from messages received during the predicted reception period or a message that has been confirmed to be transmitted at an interval shorter than the transmission period, and Predict the reception time. For this reason, the method according to the second embodiment also has a system in which the time that is the reference of the periodic message period varies depending on the transmission time of the non-periodic message, and the time that is the reference of the periodic message period varies depending on the non-periodic message. It can be applied to any system that does not.

  Furthermore, in the second embodiment, erroneous detection is prevented by taking a wide margin. At this time, the attack detection device 70 predicts the message reception period after a plurality of cycles from the reference message, and considers the number of messages from the reference message in consideration of the estimated reception period. By determining the presence or absence, it is possible to prevent an attack from being overlooked. Therefore, according to the second embodiment, the accuracy of attack detection in a system in which both data frames that are periodically transmitted and data frames that are not transmitted every period are transmitted is improved.

<Others>
The embodiment is not limited to the above, and can be variously modified. Some examples are described below.

  In the above description, the case where the value of the first bit of the data is used has been described as an example, but the position of the information used as the short interval flag is an arbitrary position of the data field. A plurality of bits may be used as the short interval flag. In this case, when transmitting frames at intervals shorter than the transmission cycle, the transmission device 40 may increment the value of the area used as the short interval flag. Similarly, the transmission device 40 may decrement the value of the area used as the short interval flag when transmitting frames at intervals shorter than the transmission cycle. In addition, when transmitting frames at intervals shorter than the transmission cycle, the transmission device 40 may change the value of the area used as the short interval flag. In this case, when transmitting frames at the same interval as the transmission cycle, the transmission device 40 is set so that the value of the area used as the short interval flag does not change. The determination unit 22 or the determination unit 73 in the attack detection device 10 stores the value of the short interval flag in the previously received message, and compares it with the value of the short interval flag in the newly received message. Then, it is determined whether or not the newly received message is transmitted along the transmission cycle.

  Furthermore, the determination unit 73 may use the fact that the cycle has changed in other IDs associated in advance as a short interval flag. For example, when there is a property of always receiving a message with ID = 0x123 after a certain time of ID = 0x110, when receiving a message with 0x123 outside the range of ± margin after a certain time after receiving ID = 0x110, at short intervals. You may judge that there is. For example, it is assumed that the determination unit 73 monitors the transmission cycle of a message with ID = 0x110. In this case, the determination unit 73 determines that the message with ID = 0x123 received immediately after the fluctuation of the transmission cycle of the message with ID = 0x110 is transmitted with a cycle shorter than the transmission cycle. good. In addition, when a specific area in the data of the message with ID = 0x110 is used as the short interval flag and the short interval flag = 1 is set with ID = 0x110, the determination unit 73 sets the message with ID = 0x123. May be determined to be transmitted in a cycle shorter than the transmission cycle.

  Further, the determination unit 73 may use the state of a vehicle or the like on which the CAN network is mounted, or the connection state between the CAN network and an external device as a substitute for the short interval flag.

  A plurality of these conditions may be used simultaneously. At this time, an AND condition having a plurality of properties or an OR condition may be used.

  In the above description, the case where the attack detection device (10, 70) and the transmission device 40 are different devices has been described as an example. However, for one ID, the device operates as the attack detection device 10, 70. For other IDs, the transmitter 40 may operate. In this case, since the device that performs both attack detection and message transmission operates as both the attack detection device 10 and the transmission device 40, the transmission / reception unit 11, the control unit 20, the storage unit 30, the control unit 50, and the storage unit 60. Is provided. The device that operates as both the processing as the attack detection device 70 and the transmission device 40 includes a transmission / reception unit 11, a control unit 71, a storage unit 75, a control unit 50, and a storage unit 60. The technique disclosed in the present invention can also be applied to an extended specification called CAN-FD (CAN with Flexible Data Rate).

The following additional notes are disclosed regarding the embodiment including the first and second embodiments described above.
(Appendix 1)
A transmission / reception unit for receiving a message from a communication device in the network;
A calculation unit that calculates a reception period of a periodic message received after the first message by using a reception time of the first message of the periodic message transmitted periodically;
When the transmission / reception unit receives the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle outside the reception period after the reception of the first message, the calculation unit Updates the reception period of periodic messages received after the second message by using the reception time of the second message and the transmission period.
(Appendix 2)
A determination unit that determines whether an attack has occurred on the network;
The data in the message transmitted from the communication device includes a flag indicating whether the message is transmitted at a transmission interval shorter than the transmission cycle,
The determination unit determines that an attack on the network has occurred when a reception time of a message having a flag indicating that it has been transmitted at the same transmission interval as the transmission cycle is not included in the reception period. The attack detection apparatus according to appendix 1.
(Appendix 3)
A storage unit for storing the reception period;
The calculating unit calculates a reception period of a plurality of periodic messages transmitted after the second message with reference to the second message;
The storage unit stores the reception period corresponding to each of the plurality of periodic messages transmitted after the second message;
The determination unit determines that an attack on the network is detected when the reception time of the periodic message transmitted after the second message is not included in the associated reception period. The attack detection device according to attachment 2.
(Appendix 4)
Receive messages from communication devices in the network,
Using the reception time of the first message of the periodic message transmitted periodically, the reception period of the periodic message received after the first message is calculated,
When the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle is received outside the reception period after the reception of the first message, the second message is received. An attack detection method, wherein the attack detection device performs processing for updating a reception period of a periodic message received after the second message by using time and the transmission cycle.
(Appendix 5)
The data in the message transmitted from the communication device includes a flag indicating whether the message is transmitted at a transmission interval shorter than the transmission cycle,
The attack detection device determines that an attack has occurred on the network when a reception time of a message having a flag indicating that the message is transmitted at the same transmission interval as the transmission cycle is not included in the reception period. The attack detection method according to appendix 4.
(Appendix 6)
The attack detection device includes:
Calculating a reception period of a plurality of periodic messages transmitted after the second message on the basis of the second message;
Storing the reception period corresponding to each of the plurality of periodic messages transmitted after the second message;
According to appendix 4 or 5, wherein when the reception time of the periodic message transmitted after the second message is not included in the associated reception period, it is determined that an attack on the network has been detected. The attack detection method described.
(Appendix 7)
Receive messages from communication devices in the network,
Using the reception time of the first message of the periodic message transmitted periodically, the reception period of the periodic message received after the first message is calculated,
When the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle is received outside the reception period after the reception of the first message, the second message is received. An attack detection program for causing an attack detection device to perform a process of updating a reception period of a periodic message received after the second message using time and the transmission period.
(Appendix 8)
The data in the message transmitted from the communication device includes a flag indicating whether the message is transmitted at a transmission interval shorter than the transmission cycle,
When the reception time of a message having a flag indicating that it has been transmitted to the attack detection device at the same transmission interval as the transmission cycle is not included in the reception period, processing is performed to determine that an attack has occurred on the network The attack detection program according to appendix 7, characterized in that:
(Appendix 9)
In the attack detection device,
Calculating a reception period of a plurality of periodic messages transmitted after the second message on the basis of the second message;
Storing a reception period corresponding to each of the plurality of periodic messages transmitted after the second message;
Note that when a reception time of the periodic message transmitted after the second message is not included in the associated reception period, a process for determining that an attack on the network is detected is performed. 9. The attack detection program according to 7 or 8.

10, 70 Attack detection device 11 Transmission / reception unit 20, 50, 71 Control unit 21, 72 Calculation unit 22, 73 Determination unit 30, 60, 75 Storage unit 31, 61 Transmission condition 32 Reception status information 33, 77 Reception prediction 40 Transmission device 51 Data Generation Unit 52 Flag Setting Unit 53 Frame Generation Unit 62 Flag Setting Condition 74 Reference Update Processing Unit 76 Reference Time 100 ECU
101 CAN Transceiver 102 CAN Controller 103 Processing Circuit 104 Processor 105 Memory

Claims (5)

A transmission / reception unit for receiving a message from a communication device in the network;
A calculation unit that calculates a reception period of a periodic message received after the first message by using a reception time of the first message of the periodic message transmitted periodically;
When the transmission / reception unit receives the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle outside the reception period after the reception of the first message, the calculation unit Updates the reception period of periodic messages received after the second message by using the reception time of the second message and the transmission period. A determination unit that determines whether an attack has occurred on the network;
The data in the message transmitted from the communication device includes a flag indicating whether the message is transmitted at a transmission interval shorter than the transmission cycle,
The determination unit determines that an attack on the network has occurred when a reception time of a message having a flag indicating that it has been transmitted at the same transmission interval as the transmission cycle is not included in the reception period. The attack detection apparatus according to claim 1. A storage unit for storing the reception period;
The calculating unit calculates a reception period of a plurality of periodic messages transmitted after the second message with reference to the second message;
The storage unit stores the reception period corresponding to each of the plurality of periodic messages transmitted after the second message;
The determination unit determines that an attack on the network is detected when the reception time of the periodic message transmitted after the second message is not included in the associated reception period. The attack detection apparatus according to claim 2. Receive messages from communication devices in the network,
Using the reception time of the first message of the periodic message transmitted periodically, the reception period of the periodic message received after the first message is calculated,
When the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle is received outside the reception period after the reception of the first message, the second message is received. An attack detection method, wherein the attack detection device performs processing for updating a reception period of a periodic message received after the second message by using time and the transmission cycle. Receive messages from communication devices in the network,
Using the reception time of the first message of the periodic message transmitted periodically, the reception period of the periodic message received after the first message is calculated,
When the second message associated with the information indicating that it has been transmitted at a transmission interval shorter than the transmission cycle is received outside the reception period after the reception of the first message, the second message is received. An attack detection program for causing an attack detection device to perform a process of updating a reception period of a periodic message received after the second message using time and the transmission period.

Images